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Key KA/KB : Keys used to encrypt/decrypt data 
Data DA/DB : Plaintext Stored at the end-hosts A/B 
EA/EB : Cipher-text transmitted over the LAN 
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a) IP packet (42) 
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b) SSL/TLS: New IP packet with ESP and AH (46) 
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c) TCPSec: New IP packet with ESP. AH. and an extra TCP/UDP lieader (52) 
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a) Original control IP packet (59) 
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b) Encapsulated control Dacl<et (63) 
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c) Control packet with IP and transoort laver headers appended (69) 
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d) Encrypted control packet with appended headers (75) 
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Encrypted : Original transport layer data plus the appended 
headers 

e) Encrypted control packet after encapsulation (83) 
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a) Original control IP packet (91^ 



IP 


TCP/UDP 


TCP/UDP 


Header 


Header 


Data 


(92) 


(93) 


(94) 



b) Encapsulated control packet (95) 
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c) Control packet with transport layer header apperxied (100) 
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d) Encrypted control packet with appended header (105) 
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Encry pted: Original transport layer data plus the appended 
headers 

e) Encrypted control packet after encapsulation (112) 
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Processing of the IP packets at the end-hosts (X = A, B) 

# is the outgoii^ packet at the initiator a control TCP packet or the first UDP? 

if( IP_packet_out == (TCP__initiate_control__packet [j UDP_imtiate_first__packet)){ 

# has the key e^hange been done? 
if(key_exchange_for_control_packet == NOT_DONE){ 

# is the host local? 

if(IP^hostX == LOCAL_HOST){ 

Key_for_control_packet = Irutiate_key_exchange(IP_hostX); 
}else{ 

Key_for_control_packet = Initiate_key_exchange(IP_gatewayGX); 

} 

} 

# has the key e^hange been done for tMs connection? 

if(key_exchange_for_data_packet == NOT_DONE){ 
Key__for_data_packet = Initiate_key_exchange(IP_hostX); 

} 

# encrypt, add ESP & AH, update headers 

Encrypt_packet(IPpaclst_out, K£y_for_contrc)l_packet); 

} 

# is the incoming packet a control TCP packet or the first UDP packet? 

# at the responder 

if(IPjpacket_in == (TCP_initiate_control_packet || UDP_receive_first_packet)){ 

# has the key exchange been done? 
if(key_exchange__for_control_packst == NOT_DONE){ 

# sometlui^ wrong, key exchange should have already happened 

Drop_packet_raise_alarm() ; 
}else{ 

# decrypt, remove ESP & AH, update headers 

Decrypt_packet(IPpackeMn, Key_for_control_packst) ; 

} 

} 

# at the initiator 

if(IPjpacket_in == (TCP_respond_control_packet || UDP_respond_first_packet)){ 

# decrypt, remove ESP & AH, update headers 

Decrypt jpacket(IPpacket_in, Key_for_contr ol_pacl^t) ; 

} 

# outgoing data packet 

if(IP_packet_out == data_packet){ 

# encrypt, addESPand AH, update IP and transport layer headers 

Encr ypt_packet(IPpacket_ID, Key_for_data_j)acket) ; 

} 

# incomii^ data packet 

if{IP_packet_out == data_j)acket){ 

# authenticate, decrypt, remove ESP and AH, update IP and transport layer headers 

Decrypt jpacket(IP_packet_in, Key_for_data_packet); 

} 
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Processing of the control packets at the gateways GX (X , X = A, B) 

# is the ou^oing packet (from a local host) a control TCP packet or the first UDP? 

if(IPjacket_out == (TCP^control^packet || UDP_first_packet)){ 

# has the key exchange been done? 
if(key_exchange_for_control_packet == NOT_DONE){ 

# something wrong, key exchange should have already happened 

Drop_packet_rais e_alarm(); 
}else{ 

# decrypt, remove ESP & AH, update headers 

Decrypt_packet(IPpacket_out, Key_for_control_packet); 

# VPN packets receive s pecial treatment 

If (IPpacket_out == BELONGS_TO_VPN){ 

# Recraft the packet by adding extra headers 

Recrafi_packet(IPpacket_out); 

} 

# Allow the CPU to perform NAT etc. (goes from NIC to CPU) 

# now the packet is outbound (back from the CPU to the NIC) 

# encrypt it with the key agreed upon with the other gateway GX' 

# encrypt, add ESP & AH, update headers 

Enc ry pt_packet(IPpacket_out, Key_for_control_packet_GX_to_GX 

} 

# is the incoming packet (from the other ) a control TCP packet or the first UDP? 

if(IP_packet_in == (TCP_control_packet || UDP_first_packet)){ 

# has tfie key exchange been done? 
if(key_e:schange_for_control__packet == NOT_DONE){ 

# something wrong, key ajs^hange should have already happened 

Drop_packet_raise__alarni(); 
}else{ 

# decrypt, remove ESP & AH, update headers 

Decrypt_packet(IPpacket_in, Key_for_control_packet); 

} 

# Allow the CPU to perform NAT etc. (goes from NIC to CPU) 

# VPN packets receive special treatment 

If(IPpacket_out == BELONGS_TO_VPN){ 

# generate the 5 -tuple pair 

Gen_ 5-tuple(IPpacket_m ); 

# Recraft the packet by removing extra headers 

Recraftj acke t(IPp acket_in); 

} 

# now the packet is back from CPU to NIC 

# encrypt, add ES P & AH, update headers, send it to end host X' 

Encrypt_packet(IPpacket_out, Key_for__control_packet_GX'_to_X'); 
A 
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Processing of the data packets at the Gateway GX (X, X' = A, B) 



# is the outgoing packet (from a local host ) a data TCP or a successive UDP packet? 

if( IP _packet_out == (TCP_data_packet || UDP_successive_packet)){ 

# give special treatment to VPN packets 

if(IP_packet_in == BELONGS_TO_VPN){ 

# use the 5-tuple to modify the IP and transport layer headers 

Substitute_IP_and_Port_niiinbers(IP_packetJn); 

} 

# network-to-network 

if(IP_packet_in BELONGS_TO_NETWORK_TO_NETWORK){ 

# do nothii^ 

} 

# Allow the CPU to perform NAT etc. (goes from NIC to CPU) 

# now the packet is outbound (back from the CPU to the NIC) 

# send it out without doii^ anything 

} 

# is the inii^ packet a data TCP or a successive UDP packet? 

if( IP_packet_in == (TCP_data_packet || UDP_successive_packet)){ 

# Allow the CPU to perform NAT etc, (goes from NIC to CPU) 

# now the pactet is outbound (back from the CPU to the NIC) 

# give special treatment to VPN packets 

if(IP__packet_in == BELONGS_TO„VPN){ 

# use the 5-tuple to modify the IP and transport layer headers 

Substitute_IP_and_Port_numbers(IP_packetJn); 

} 

# network-to-network 

if(IP _packet_m== BELONGS_TO_NETWORK_T0_NETWORK){ 

# do nothii^ 

} 

# send it out to the local host 

} 
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Extra processing of the data and control packets at the end host 
X (X = A. B) in network-to-network secure communication 

# is the in coining packet a control TCP or UDP packet 

if( IP__packet_in== (TCP_control_packet || UDPJirst_packet)){ 

# is the incomii^ packet a TCPSec packet 

if(IP_packetJn == TCPSec_packet){ 

Decrypt_packet(IP_packet Jn, Key__for_control_packet ); 

# generate the 3-tupIe pair 

Gen_3-tuple(ff_j}acket_in); 

# Recraft the packet by removing extra headers 

Rear afi_packet(IPpacket Jn) ; 

} 

} 

# ongoing control packets 

if( IP_packet_out == (TCP_control_packet || UDP_response_packet)){ 

# make a TCPSec packet 

Recraft_TCPSec_packet(IP_packet_out); 

# encrypt it 

Encrypt_packet(IP_packet_out, Key_ for_control_packet); 

# use the 3-tuple to modify the IP and transport layer headers 

Substitute_IP__and_Port_nuinbers(IP_packet_out); 

} 

# ongoing data packets 

if( IP_j)acket_out == (TCP_data_packet || lJDP_successive_packet)){ 

# encrypt it 

Encrypt _packet(IP_packet_out, Key_ for_data_packet); 

# use the 3-tuple to modify the IP and transport layer headers 

Substitute_IP_and_Port_niimbers(IP_packet_out); 

} 

} 
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